Global-based communications networks such as the Internet have evolved from an early, research-based system with limited access, to a truly world wide network with millions of users. The original network protocol, TCP/IP, was designed on the basis that system users would connect to the network for strictly legitimate purposes. As a consequence, no particular consideration was given to security issues. In recent years, however, the incidence of malicious attacks on the Internet has grown to an alarming proportion. Due to its anonymous nature, the Internet Protocol (IP) makes it extremely difficult to precisely identify the real source of any given datagram, and thus any given flow, if the source wishes to remain unknown. These attacks take on a variety of forms, and often lead to a complete disruption of service for a targeted victim.
The propagation of malware (software designed specifically to damage a system such as flooding, worms and viruses) can be very disruptive in distributed networks. Even though the impact of a worm or a virus on any given equipment (e.g. computer, server, router) is very often benign, the cumulative effects of tens of thousands of infected equipment spreading as fast as possible the malware to other equipments can be disastrous. In such cases, the networks may cease to provide efficiently their services to their users due to congestion.
One such attack is based on the concept of flooding a victim with so much traffic that the victim's server cannot cope, or with very effective malicious packets at lower rates. Other ways of denying service to a network user are viruses. A computer virus is a program or programming code that replicates itself across a network in various ways. A virus can be viewed as DoS (denial of service) attack where the victim is not usually specifically targeted, but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial of service can be hardly noticeable ranging all the way through disastrous.
A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is known as a worm; they are generally noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks. The worms operate by exploiting both known and previously unknown software vulnerabilities in applications and systems software and propagate rapidly across the network. By hijacking trusted applications such as web servers, mail transfer agents and log-in servers, which typically run with many global permission, worms can gain full access to system resources, and cause complete system compromise.
The capacity to detect as fast as possible the propagation of malware and to react efficiently to on-going attacks inside the network in order to protect the network infrastructure is becoming a real challenge for network operators. This is particularly relevant for large distributed networks. In such networks, the network equipment (routers, switches) that constitutes the infrastructure must play an important role in limiting the propagation of malware. To protect their network and systems today, enterprises deploy a layered defense model, which includes firewalls, anti-virus systems, access management and intrusion detections systems (IDS). Defense models have been around for years, and yet to date none have been able to deliver on the final goal of providing full protection against all attacks with little associated cost and annoyance.
For example, a paper entitled “Intrusion Detection System” by Rebecca Bace and Peter Mell, dated November 2001 and available on NIST Special Publication website as SP-800-31, describes the current status of the IDS. Some of the techniques described in this paper have been designed specifically for detecting malware propagation in telecommunication networks infrastructure. They can be divided into two main categories: Flow-based analysis and Deep-packet analysis. Flow-based analysis includes methods for tracking malicious continuous flows of IP packets by analyzing the traffic flows in the telecommunication infrastructure to detect unusual patterns. It relies usually on technologies as Netflow, IPFix, and RTFM implemented into routers. An example of such a technology is described in the paper entitled “Correlation Between NetFlow System and Network Views for Intrusion Detection” by C. Abad et al. published in Workshop on Link Analysis, Counter-terrorism, and Privacy, April 2004. The Deep-packet analysis methodology includes the methods for tracking back single malicious IP packets by analyzing each packet to detect either known signatures or frequently seen patterns. An example of such a technology is described in the paper entitled “Deep Packet Inspection Using Parallel Bloom Filters”, by S. Dharmapurikar et al. in IEEE Micro January 2004. Some of the methods for tracking continuous flows may also be used to track-back single packets, such as for example the iTrace method referred to above. However, the price to pay is overwhelming.
The solutions available so far do not detect and stop DoS attacks fast enough, and are expensive. Responsiveness is impacted by the fact that the current IDSs are based on multiple components: routers, firewalls, intrusion/anomaly detection systems. Under critical conditions, these systems may have problems to communicate and coordinate the required counter-measures. Monitoring and analysis of all packets going through high-end routers is impossible with current technology without introducing packet delays and losses, impacting on the effectiveness of the respective IDS. Monitoring and analysis all packets going through high-end routers requires specialized hardware or additional equipment coupled with the routers, increasing the complexity and the cost of the infrastructure. Even so, it may still have effectiveness problems.
Generic in-line Intrusion Prevention Systems (IPS) also rely on signatures and flows measurements to detect and block malicious activities in a network, hence their capabilities are limited in blocking zero-day worms. Moreover, if their detection algorithm is based on statistical observations (e.g. flow's bandwidth, number of active ports per host, etc.) it may take some time before an IPS system can start blocking a worm. Due to this window of time, an enterprise could be held accountable for the spreading of the worm. Also, signature and behavior monitoring technologies are not effective the first time a new worm spreads across the Internet, since it is not feasible to setup a policy that recognizes the malicious software until the attack happens. Signatures and policies can be updated periodically, but only after a worm or other malicious software has been recognized and studied. Signature monitoring technologies are not effective the first time a new worm spreads across the Internet. It is also extremely difficult to distinguish between the identity or behavior of ‘good’ and ‘bad’ code. This results in a large number of ‘false positives’ that limit the purpose of many prevention systems to detecting events rather than protecting against them.
Furthermore, both signature and behavior monitoring techniques allow a time interval between the onset of an attack and its detection, so that by monitoring the behavior of a running application, by the time the destructive behavior is detected, the application is already compromised and the malicious code is already running. This time interval represents a window of vulnerability for a network operating over the attacked access link.
In addition, firewalls cannot stop everything; they are configured to allow certain classes or types of data to pass through into the protected network. Every malicious activity that exploits a service allowed through a firewall will successfully spread. As a result, firewalls may no longer be sufficient to protect a corporate network from viruses, system penetration, spoofing, data and network sabotage, and denial of service attacks that exploit vulnerabilities in protocols allowed by a firewall.
The reliability and security of an IP network is essential in a world where computer networks are a key element in intra-entity and inter-entity communications and transactions. The actual IDS technology does not give the appropriate performance level required for high-end routers. To address this problem, new techniques are being currently devised. This is a key challenge for the telecom industry and many partial solutions have been proposed so far. Therefore, there is a need to provide a system for confining and detecting malicious activities (e.g. internet worms) in a network that is easy to install and maintain.